Common among many non-profit organizations is a mindset of presumption, that since it is not a business in the competitive, free-market sense, it doesn’t need to concern itself with the high level of IT network security that is essential at for-profit companies. This is not the case.
Like so many for-profit companies, non-profits today do a lot of their business online. They accept donations, capture fundraising event registrations, and request visitor email information for online newsletters and capital campaigns. As such, non-profit IT networks are rich with personal information, from the one-time donors to ongoing sponsors. There’s a repository of data (often very personal and proprietary) that makes for an enticing target for cyber criminals.
With the threat of data breaches growing more serious by the month, and with organizations of every kind falling prey to compromised networks on a near-daily basis, a responsible non-profit has to consider network security a priority on par with fundraising and mission-fulfillment itself. If that sounds alarming, it should. And it goes without saying that many non-profits must do this while lacking the resources, in both staff and budget, that larger for-profit companies can draw from.
So, now that we have your attention and concern, where should you begin? Start with getting an overview of all the data collected by your non-profit, and get clarity on where, specifically, it is stored. Know what personal information you are collecting, from credit card numbers to addresses to occupations. There might even be unusual bits of data for something like password recovery that come from a pet’s name or favorite ice-cream flavor. Track it all down and see if it’s all essential. What can you do without? Streamline the data collection and you minimize the amount of data potentially at risk!
Another important factor is knowing the federal and state regulations that apply to the information your non-profit obtains. Almost every state has laws requiring non-profits to contact anyone whose personally identifiable information is compromised in a security breach. And the majority of states also require that you dispose of that data safely and securely. It’s a responsibility many nonprofit organizations don’t realize they have, so it’s worth training your IT team and staff so they understand this reality.
Overall, it’s important for everyone to understand the very real likelihood — even inevitability — that an organization’s database will have to withstand a cyber-attack. If hackers are successful, they can cause damage to operations, of course, but the breach can also severely undermine trust and can even hurt public image.
Sitting down with a strong third-party IT services partner is a smart step toward ensuring your non-profit data is as protected as possible. They can give your system the serious scrutiny demanded of a worthwhile evaluation, and really help identify and address vulnerabilities. But after you make that call, get the ball rolling internally by doing the following:
- Be Sure to Backup
Operating with a single iteration of your data that could be compromised is incredibly risky. Routine system and data backups are essential, especially if you need to recover from a cyber-attack. Your organization is full of vital documents and data. Make sure someone is routinely backing them up to a storage option.
- Get smart about Phishing attacks
Train your employees not to click on links embedded in emails they don’t recognize or expect. Hackers do unsettlingly good work creating emails that look like they are from your favorite retailer or restaurant. But before you claim that free gift card, check the address and evaluate the URLs. If they look unfamiliar, delete that email immediately.
- Strengthen Passwords
PassWord1234, really? Encourage everyone to reset passwords that are more intricate, include numbers, symbols, and both upper and lower case letters, and make sure they aren’t derived from easy-to-find information like their children’s names. Even something simple like swapping zeros for the letter “o” and the number 3 for the letter “e” can make a big difference!
- Stay Updated
Don’t neglect regular system updates on all devices and desktops. Data security is never completely done. It needs continual review, with best practices changing regularly. That one staffer running an outdated version of a web browser is a proverbial Achilles heel in your IT security. This goes for routers, firmware, you name it. Keep it current!
- Maintain a Mindset of Constant Vigilance
There’s an old saying that it’s better to be a fighter in a garden than a gardener in a fight. If your IT team acts like it’s always under attack, it will always be working to stay ahead of the latest threats. Don’t presume that just because things are quiet that there’s no threat. Many attacks operate almost invisibly, slowly stealing data over months and weeks. Stay vigilant and you stand a better chance of avoiding database corruption and operational disruption.
We have deep experience working with nonprofit organizations to assist them with network security, managed accounting and donor services, and cloud-based business management systems. Contact me today to discuss your nonprofit’s business processes and technology platforms.